Type of Attack Indicators

A disgruntled administrator is fired for negligence at your organization. Thirty days later, your organization’s internal file server and backup server crash at exactly the same time. Examining the servers, you determine that critical operating system files were deleted from both systems. If the disgruntled administrator was responsible for administering those servers during her employment, this is most likely an example of what kind of malware?

A colleague has been urging you to download a new animated screensaver he has been using for several weeks. While he is showing you the program, the cursor on his screen moves on its own and a command prompt window opens and quickly closes. You can’t tell what if anything was displayed in that command prompt window. Your colleague says, “It’s been doing that for a while, but it’s no big deal.” Based on what you’ve seen, you suspect the animated screensaver is really what type of malware?

Several desktops in your organization are displaying a red screen with the message “Your files have been encrypted. Pay 1 bitcoin to recover them.” These desktops have most likely been affected by what type of malware?

While port-scanning your network for unauthorized systems, you notice one of your file servers has TCP port 31337 open. When you connect to the port with the security tool netcat, you see a prompt that reads, “Enter password for access:”. Your server may be infected with what type of malware?

While port-scanning your network for unauthorized systems, you notice one of your file servers has TCP port 61337 open. When you use Wireshark and examine the packets, you see encrypted traffic, in single packets, going back and forth every five minutes. The external connection is a server outside of your organization. What is this connection?

A user in your organization is having issues with her laptop. Every time she opens a web browser, she sees different pop-up ads every few minutes. It doesn’t seem to matter which websites are being visited—the pop-ups still appear. What type of attack does this sound like?

Users at your organization are complaining about slow systems. Examining several of them, you see that CPU utilization is extremely high and a process called “btmine” is running on each of the affected systems. You also notice each of the affected systems is communicating with an IP address outside your country on UDP port 43232. If you disconnect the network connections on the affected systems, the CPU utilization drops significantly. Based on what you’ve observed, you suspect these systems are infected with what type of malware?

A piece of malware is infecting the desktops in your organization. Every hour, more systems are infected. The infections are happening in different departments and in cases where the users don’t share any files, programs, or even e-mails. What type of malware can cause this type of infection?

Which of the following are characteristics of remote-access trojans?

o test your systems against weak passwords, you as an admin (with proper permissions) test all the accounts using the top 100 commonly used passwords. What is this test an example of?